Breach today released the latest version of WebDefend, which features continuous web application performance monitoring, enhanced adaption and a new system-level dashboard.
WebDefend 4.0’s new web application monitoring provides users with real-time visibility into the performance of their web applications. Now IT operators can track aggregate end user experience and report service levels by providing real-time visibility into areas such as site and URL level availability or site, URL and session level speed.

WebDefend 4.0 also tracks the top problem areas within a web application environment. As a result,  WebDefend’s application performance monitoring reduces the time necessary to identify and repair web application performance problems, reducing costs and increasing return on investment in web application environments. WebDefend 4.0 monitors every transaction in a web application environment, enabling accurate service level reporting and outsourcer management.

WebDefend 4.0 features several enhancements in the WebDefend Adaption engine, such as its ability to automatically relearn applications as they change in production – without manual intervention. The new enhancements help organizations use Adaption without negative security rules and signatures to eliminate false positives resulting from application changes, identify zero-day and targeted attacks, and block with confidence.

The appliance’s new system-level dashboard offers a real-time status of all systems in the WebDefend deployment. In short, WebDefend 4.0 accelerates the identification of application problems and trends that affect an organization’s bottom line.

Submitted by Sanjay Mehta 3/11/09

Web applications are the backbone of your businesses! But like all backbones, if you don’t take care of them they tend to become frail, poor performing, and vulnerable to injury over time.

Unfortunately the difficulty in monitoring and maintaining the health and security of web applications isn’t as simple as a daily dose of calcium. The benefits associated with your web applications can quickly unravel if the integrity of the web applications becomes compromised. Defects in web applications can lead to: lost revenue and customers, damaged reputation and brand, code leakage, and compliance violations. This isn’t to say you should give up now – instead implement a focused program to identify possible defects and vulnerabilities that lie in your web applications and take steps to remediate.

Here are some “must do” steps to maintain the integrity and security of your web applications:

• Stay current: Web applications and threats are continuously changing – you need a solution that is adaptive and is able to continuously monitor.
• Defense-in-depth, not just for networks anymore: Web applications need to be monitored through all steps in Development, QA, Staging, Production.
• The “response” matters: For a complete picture on the health of your web applications you need full outbound inspection and correlation.
• Compliance is a goal: Good security leads to compliance but compliance programs should not lead to better security.
• You cannot improve what you don’t understand: Foster an environment for application security and integrity by bridging the gap between your security and development teams.
• Find the right security partner!

Remember simple defects can result in serious problems.

If you are like thousands of companies updated web applications on a regular basis, then you are probably investing a lot of time and money into performing continuous code reviews.  While your QA team is responsible for checking the quality and security of the new code, they are also stuck with ensuring the new doesn’t break the old.  A nice, long, tedious process for sure….fun stuff.  Add in a little pressure from the executive offices to get applications out on time and it’s no surprise that code sneaks out with application defects and security flaws.  And these “oversights” have major costs in remediation, not to mention the risks of alienating good customers, destroying brand, and exposing far too much information to users with malicious intent.  Let’s look at some numbers to make this more real:

- Every 1000 lines of code averages 15 security defects.
- It takes 75 minutes on average to track down one defect.
- Fixing each defect takes 2 to 9 hours.
- The average business application has 150,000-250,000 lines of code.
- Cost based on lowest figures from above: 9,000 x $25.00 =  $225,000.00

Finding defects in code is a time consuming and expensive business process.  Automation and continuous inspection are key to getting a handle on this process.  I am not saying to toss your software development procedures out the window, but you should certainly consider alternatives and complementary strategies.  If you are looking for a starting point, check out Breach’s WebDefend.

We have liftoff.  I am happy to announce the release of Breach WebDefend v 3.5.    I have had the pleasure of working closely with our customers over the last 3 years as we have expanded WebDefend from a simple WAF into a comprehensive platform for application security, integrity and compliance.  Great products are certainly developed by great engineers, but they are defined by great prospects and customers.  With ideas from global leaders in finance, ecommerce, education, government and more, version 3.5 delivers increased performance, expanded blocking options, enhancements to scraping protection and much more.  So thanks to all that have standardized on WebDefend, we look forward to rolling out the new version.  And for those of you that haven’t joined the Breach Revolution….jump on, it’s a great ride.

Submitted by Sanjay Mehta 1/13/2009

Sometimes the simplest mistakes can cause great harm, and if you want proof, take a look at today’s web based business applications.  On January 12, 2009, CWE & SANS announced the Top 25 Most Dangerous Programming Errors. This list assembled from more than 30 US and international security organizations will revolutionize the way businesses maintain their web applications integrity and the way people are trained to write secure code.

This priority list helps all businesses, both large and small, take better control of their application security. Many enterprise corporations I visit have a hard time keeping up with the changes in a dynamic application environment, let along how those changes might introduce new security vulnerability or application integrity concerns.  But now, thanks to these industry experts, including Breach Security Labs leader Ryan Barnett, an understanding of the threat of security bugs, cyber espionage, and cyber crime has been simplified into a list of common programming errors. Thus, making it easier for developers to write code that will mitigate or eliminate the weakness in business applications.
This project is another great step forward in creating a more secure Internet.

Submitted by Sanjay Mehta 1/6/2009

Would you jump out of a plane without a parachute?  This might be a silly question for most of you (except for the one or two crazy daredevils reading this blog), but I’m assuming most of you would not leap out of a plane to a most certain death.  I believe that businesses that are deciding to leave their web applications unprotected will be facing the same type of risk, but instead of facing certain death they risk closing the doors to their business.

The amount of data leakage and data theft continues to soar (check out some of the latest web attacks at this website: http://www.breachblog.com) and the media has pounced on the chance to expose these attacks as they surface.  As a result, businesses must tighten up their defenses and web applications are a major hole in most security strategies.  Although most businesses realize the risk of not having well protected web applications many still wonder if it is worth the money to invest in web application security?  The short answer is yes!! But, just in case you don’t want to take just my word for it, I included a few statistics regarding the business costs associated with not protecting web applications.      

• In 2006, companies spent $5 million on average and up to $22 million to recover from corporate data loss.
  • Per capita cost of a data breach in 2006 was up 31% from 2005.
  • Cost of notification is $125/customer.
• 25% of customers who receive notification will leave you, and another 20% are likely to leave (Potential result – 45% total customer loss).
• Security breaches cost $90 to $305 per lost record.
• Companies spend $180,000 on average after a breach to prevent further breaches.

The relatively small investment of protecting a businesses’ web applications is trivial compared to the costs of leaving web applications unprotected. Businesses that do suffer a web attack not only suffer immediate monetary set backs, but their reputation and brand may be forever damaged.  The good thing is that the web application security industry continues to evolve and continues to produce new affordable solutions to keep you ahead of the hackers.  Please don’t jump out of any planes without parachutes and please don’t leave your web applications unprotected.

Submitted by Sanjay Mehta 1/2/2009

Welcome to Connections!  My name is Sanjay Mehta, Executive Vice President of Breach Security.  Although I will be the principal writer for this blog I look forward to featuring posts from our clients, partners and colleagues.  For a little history on Breach, web application security, and even me…please check out our website at www.breach.com.

The web application security market is an exciting industry to be a part of and it has grown from a topic that nobody had heard of about 10 years ago – to being a primary focus for businesses striving to maintain their web application integrity.  These are a few of the principal reasons why people have become more educated and honed in on web application security:

• 75% of all successful attacks occur at the application layer.
• Web application provide a gateway to a corporations most sensitive confidential and customer information.
• Network security solutions are not well suited to understand dynamic web applications.
• Wide spread adoption  of encryption makes existing network security device ineffective for attack detection.
• 54% of security professionals admit that they have had to deal with a security incident.
• 44 States require companies to disclose data breaches.
• 80% of Americans are concerned about stolen identity. 

Having been on the forefront of this rapidly growing security industry for 10+ years, I decided to start this blog to help businesses quickly and easily connect to the latest web application security information.  On this blog you will find leading information on maintaining web application integrity, remediation techniques, business costs associated with web application attacks, advice on facilitating communication between departments, and much more…

I look forward to discussing these posts with you and I welcome any and all comments and feedback.  Thank you!